Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Bug#802089: ext4magic: recover or examine on ext4 file system is impossible
124 views
Skip to first unread message
Roberto Maar
Oct 17, 2015, 9:50:02 AM10/17/15
to
Package: ext4magic
Version: 0.3.2-2
Severity: normal
Dear Maintainer,
ext4magic has a misinterpretation of the physical block addresses and block lengths of ext4 inode.
With each call by ext4magic be other random and too large values dertermined.
Thus, a recover from ext4 file system is not possible.
The error is permanent and 100% reproducible (also on i386)
Often with the additional warning: "error-NR 22 can not found file"
Example:
# ext4magic -T -I2 -x /dev/sdb1 #debian 8.2 (amd64)
....
Dump Inode 2 from journal transaction 0
Inode: 2 Type: directory Mode: 0755 Flags: 0x80000
Generation: 0 Version: 0x00000000:00000004
User: 0 Group: 0 Size: 4096
File ACL: 0 Directory ACL: 0
Links: 5 Blockcount: 8
Fragment: Address: 0 Number: 0 Size: 0
ctime: 1444944845:3712000000 -- Thu Oct 15 23:34:05 2015
atime: 1444944255:1968000000 -- Thu Oct 15 23:24:15 2015
mtime: 1444944845:3712000000 -- Thu Oct 15 23:34:05 2015
crtime: 1444943306:0000000000 -- Thu Oct 15 23:08:26 2015
Size of extra inode fields: 28
Level Entries Logical Physical Length Flags
0/ 0 1/ 1 0 - 25855 89219572695840 - 89219572721695 25856
......
The block length 25855 and the start block 89219572695840 are random values
and the false block data would also be used while trying a recover.
The correct output should be: #OpenSuse 13.1 (x86-64)
......
Dump Inode 2 from journal transaction 0
Inode: 2 Type: directory Mode: 0755 Flags: 0x80000
Generation: 0 Version: 0x00000000:00000004
User: 0 Group: 0 Size: 4096
File ACL: 0 Directory ACL: 0
Links: 5 Blockcount: 8
Fragment: Address: 0 Number: 0 Size: 0
ctime: 1444944845:3712000000 -- Thu Oct 15 23:34:05 2015
atime: 1444944255:1968000000 -- Thu Oct 15 23:24:15 2015
mtime: 1444944845:3712000000 -- Thu Oct 15 23:34:05 2015
crtime: 1444943306:0000000000 -- Thu Oct 15 23:08:26 2015
Size of extra inode fields: 28
Level Entries Logical Physical Length Flags
0/ 0 1/ 1 0 - 0 8865 - 8865 1
2 d 755 (2) 0 0 4096 15-Oct-2015 23:08 .
2 d 755 (2) 0 0 4096 15-Oct-2015 23:08 ..
11 d 700 (2) 0 0 16384 15-Oct-2015 23:08 lost+found
393217 d 755 (2) 0 0 12288 15-Oct-2015 23:04 etc
< 131073> d 755 (2) 0 0 65536 15-Oct-2015 23:20 doc
524289 d 755 (2) 0 0 4096 15-Oct-2015 22:51 help
.......
See also Ticket #3 on ext4magic sf.net site.
-- System Information:
Debian Release: 8.2
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 3.16.0-4-amd64 (SMP w/2 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages ext4magic depends on:
ii e2fslibs 1.42.12-1.1
ii libblkid1 2.25.2-6
ii libbz2-1.0 1.0.6-7+b3
ii libc6 2.19-18+deb8u1
ii libmagic1 1:5.22+15-2
ii libuuid1 2.25.2-6
ii zlib1g 1:1.2.8.dfsg-2+b1
ext4magic recommends no packages.
ext4magic suggests no packages.
-- no debconf information
Version: 0.3.2-2
Severity: normal
Dear Maintainer,
ext4magic has a misinterpretation of the physical block addresses and block lengths of ext4 inode.
With each call by ext4magic be other random and too large values dertermined.
Thus, a recover from ext4 file system is not possible.
The error is permanent and 100% reproducible (also on i386)
Often with the additional warning: "error-NR 22 can not found file"
Example:
# ext4magic -T -I2 -x /dev/sdb1 #debian 8.2 (amd64)
....
Dump Inode 2 from journal transaction 0
Inode: 2 Type: directory Mode: 0755 Flags: 0x80000
Generation: 0 Version: 0x00000000:00000004
User: 0 Group: 0 Size: 4096
File ACL: 0 Directory ACL: 0
Links: 5 Blockcount: 8
Fragment: Address: 0 Number: 0 Size: 0
ctime: 1444944845:3712000000 -- Thu Oct 15 23:34:05 2015
atime: 1444944255:1968000000 -- Thu Oct 15 23:24:15 2015
mtime: 1444944845:3712000000 -- Thu Oct 15 23:34:05 2015
crtime: 1444943306:0000000000 -- Thu Oct 15 23:08:26 2015
Size of extra inode fields: 28
Level Entries Logical Physical Length Flags
0/ 0 1/ 1 0 - 25855 89219572695840 - 89219572721695 25856
......
The block length 25855 and the start block 89219572695840 are random values
and the false block data would also be used while trying a recover.
The correct output should be: #OpenSuse 13.1 (x86-64)
......
Dump Inode 2 from journal transaction 0
Inode: 2 Type: directory Mode: 0755 Flags: 0x80000
Generation: 0 Version: 0x00000000:00000004
User: 0 Group: 0 Size: 4096
File ACL: 0 Directory ACL: 0
Links: 5 Blockcount: 8
Fragment: Address: 0 Number: 0 Size: 0
ctime: 1444944845:3712000000 -- Thu Oct 15 23:34:05 2015
atime: 1444944255:1968000000 -- Thu Oct 15 23:24:15 2015
mtime: 1444944845:3712000000 -- Thu Oct 15 23:34:05 2015
crtime: 1444943306:0000000000 -- Thu Oct 15 23:08:26 2015
Size of extra inode fields: 28
Level Entries Logical Physical Length Flags
0/ 0 1/ 1 0 - 0 8865 - 8865 1
2 d 755 (2) 0 0 4096 15-Oct-2015 23:08 .
2 d 755 (2) 0 0 4096 15-Oct-2015 23:08 ..
11 d 700 (2) 0 0 16384 15-Oct-2015 23:08 lost+found
393217 d 755 (2) 0 0 12288 15-Oct-2015 23:04 etc
< 131073> d 755 (2) 0 0 65536 15-Oct-2015 23:20 doc
524289 d 755 (2) 0 0 4096 15-Oct-2015 22:51 help
.......
See also Ticket #3 on ext4magic sf.net site.
-- System Information:
Debian Release: 8.2
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 3.16.0-4-amd64 (SMP w/2 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages ext4magic depends on:
ii e2fslibs 1.42.12-1.1
ii libblkid1 2.25.2-6
ii libbz2-1.0 1.0.6-7+b3
ii libc6 2.19-18+deb8u1
ii libmagic1 1:5.22+15-2
ii libuuid1 2.25.2-6
ii zlib1g 1:1.2.8.dfsg-2+b1
ext4magic recommends no packages.
ext4magic suggests no packages.
-- no debconf information
Eriberto Mota
Nov 29, 2015, 8:10:02 PM11/29/15
to
Hi Roberto,
Thanks for your report. I tested ext4magic over Debian Unstable now
and the problem also occurs.
I applied your patch and uploaded a new package to unstable. When in
testing (five days), I will upload to Jessie-Backports.
To close this bug, I will wait a final solution.
Thanks a lot in advance.
Regards,
Eriberto
> _______________________________________________
> forensics-devel mailing list
> forensi...@lists.alioth.debian.org
> http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/forensics-devel
Thanks for your report. I tested ext4magic over Debian Unstable now
and the problem also occurs.
I applied your patch and uploaded a new package to unstable. When in
testing (five days), I will upload to Jessie-Backports.
To close this bug, I will wait a final solution.
Thanks a lot in advance.
Regards,
Eriberto
> forensics-devel mailing list
> forensi...@lists.alioth.debian.org
> http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/forensics-devel
0 new messages